DEV Community

Shivlal Sharma
Shivlal Sharma

Posted on

How to setup AWS Control Tower in your organisation.

Large organisations always have problem to manage to multiple AWS accounts and their configurations. Sometimes it become very tedious task for developers also to manage right resources on the right place.

Hmm, okay let me tell you one thing! What if i have a central place from where you can track all your multi-account configurations, manage them and control access of your all employees.

You heard it right! AWS does provide that central place and it's name it AWS control tower.

AWS Control Tower

AWS Control Tower is a service offered by Amazon Web Services (AWS) that aids businesses in setting up and managing a safe, well-designed multi-account AWS environment.

It offers a consolidated dashboard and automation tools to simplify the management of your AWS accounts, making it simpler to maintain a safe and effective AWS environment.

Okay, so that was all about what is AWS control tower, now let's see how to setup it in your current AWS account.

Steps to Setup Control Tower.

1: Create a landing zone

Landing zone is that central place where all your AWS accounts will land in the form of OUs.

In simple language, a landing zone in AWS Control Tower is like a starting point or foundation for setting up and managing your AWS environment. It is a pre-configured and secure AWS environment that includes multiple AWS accounts organised in a structured manner.

AWS Control Tower

AWS Control Tower

Pricing of AWS Control Tower

There is not extra cost for using AWS control tower, you only pay for the services which are enabled by control tower.

AWS Control Tower

Select the regions which you want to add it under the governance of your landing zone. I am choosing us-east-1 as my home region. Click Next

2. Create a foundational ou

AWS Control Tower

AWS control tower will create a security OU(organisation unit) in which it will create two shared AWS accounts: log-archive and audit.

By creating a foundational OU, AWS Control Tower helps establish a structured hierarchy for your AWS accounts, enabling better governance and management. You can also add additional OUs in this landing zone.

3. Setting up shared accounts

After creating a foundational ou, now you have to setup that two shared accounts like adding account email and names for those accounts.

AWS Control Tower

AWS Control Tower

It is not mandatory that you only create new accounts, you can also include the existing accounts as log-archive and audit account.

4. Additional configurations.

AWS Control Tower

Now we are in the final stage where you can add additional configurations where you can setup IAM identity center to manage access of your team.

You can enable or disable cloudtrail to monitor all account activities in the form of logs at a central s3 bucket.

5. Review and setup landing zone.

AWS Control Tower

Review all your changes and click setup landing zone.

AWS Control Tower

Ok, now the most important step comes. Grab a cup of coffee and wait until the process is completed.
Alt Text

And once it is done you can see 1 ou and 2 AWS accounts listed on the landing zone.

AWS Control Tower


In this blog we saw how we can setup a landing zone to get started with AWS control tower. You can create different OUs and add domain specific AWS accounts in those OUs. It will help you to organise your accounts for faster account access and better management.

Other things you can do with control tower:
1: Create a new AWS account.
2: Add existing AWS account(accounts outside of landing zone)to the landing zone.
3: Remove any added AWS account from landing zone.

Top comments (0)